On-Requirement SCIM provisioning of Azure AD to AWS SSO with PowerShell
In this post, I’ll demonstrate ways to work with a PowerShell script to initiate an on-demand synchronization between Azure Energetic Directory and AWS Single Sign-On (AWS SSO) and steer clear of the default 40-moment synchronization plan between both identity providers. This remedy helps enterprises synchronize adjustments designed to users quickly, organizations, or permissions within Azure Advertisement with AWS SSO. This enables user or permission changes to be reflected in associated AWS accounts quickly.
You need the next to perform this session:
This post targets the steps had a need to create the on-demand sync solution. You will discover specifics on how best to set up and make use of PowerShell and the Azure PowerShell modules at Installing Azure PowerShell.
Grant permission to the Graph API to gain access to the Default Directory within Azure AD
To begin with, grant the permissions necessary for the application to possess usage of the directory endpoint.
To grant permissions
- Sign into the Azure Portal and demand Azure Advertisement dashboard.
- From the left routing pane, select App registrations. In the event that you don’t see the application listed, choose the All apps tab.
For this example, I’m utilizing an application named AWS.
- Choose API permissions from the navigation pane.
- Choose the Add a permission option.
Figure 3: Choose the Include API permission
- From the configurations page that opens, pick the Microsoft Graph option.
Under What kind of permissions does the application require, select Delegated permissions and enter directory.readwrite.all within the permissions search industry. Select Directory.ReadWrite.All and choose Include permissions in the bottom of the page.Figure 5: Demand API permissions – Include permissions
- On the API permissions web page, choose Grant admin consent for Default Directory and choose Yes.
Determine 6: Grant permission for the account to possess administrator permissions
Create a key and certificate to gain access to the application
To get started, develop a key and certificate which grants protected usage of the AWS application.
To create a key
- Choose Certificate & secrets from the left routing menu and choose New customer secret.
- Select the desired amount of the certificate.
- Provide a explanation and choose Add.
- Copy the worthiness of the certificate that’s generated and conserve it to utilize later in this technique.
- After you’ve saved the worthiness to use afterwards, select Home from the very best still left corner of the screen.
Create a consumer with permissions to perform the code
Given that you’ve given the application usage of the directory, let’s develop a consumer and assign the correct permissions to perform the code.
To develop a user and assign permissions
- Choose Azure Active Directory from the Azure services checklist.
- Choose Users and choose New user. The User title, First title, and Final name areas are needed. In this illustration, I set the User name and First title to Auth and the Final name to User.
Figure 9: Develop a user within Azure AD
- Take take note of the password that’s set because of this user and conserve it to utilize later.
- As soon as completed, choose Create.
- Select the developed user from the listing newly.
Figure 10: Assign an individual the role to bring about the API
- On the remaining navigation pane, select Assigned roles.
- Choose Add assignments.
- Choose Hybrid identity administrator and choose Add.
- Select Default Directory from the very best of the routing pane.
- Choose Business applications.
- Select the AWS software.
- Select Assign users and groupings.
- Choose + Add user near the top of the window.
Figure 12: Choose the user we made earlier from Physique 9
- Select an individual you created previously. I select Auth as that has been an individual I created previously.
- Choose Select and Assign.
- Today that you’ve added an individual, you can view that an individual is assigned to the application form.
- It’s recommended to get on the Azure portal because the user you merely created in a fresh incognito or private internet browser session. Within the first sign in, you’ll end up being prompted to improve the password.
Prerequisites to induce the SCIM endpoint
You need the next what to run the PowerShell program code that creates the endpoint.
- From the application form registration, retrieve the things shown below. Remember that the client can be used by you key saved earlier once the certificate was created.
- Tenant ID
- Display name
- Application ID
- Client secret
- User name
- Copy the things to a notepad in the preceding order so that you can enter every one of them through a single duplicate and paste activity while working the script.
- From the menus, select Azure Energetic Directory.
- Choose App registrations and choose the AWS App that has been set up.
- Copy the Application (client) ID and the Directory (tenant) ID.
Result in the SCIM endpoint with PowerShell
Given that you’ve completed all the previous steps, you should copy the program code from the GitHub repository to your neighborhood machine and run it. We’ve configured the program code to manually run, but you may also automate it to result in an Azure Automation runbook when customers are put into Azure through Alerts. You can even configure CloudWatch Activities to perform a Lambda perform at periodic intervals.
To bring about the SCIM endpoint
- Copy the program code from the GitHub repository.
- Save the code utilizing the code editor of one’s choice, or it is possible to download Visual Studio Code. Supply the document a user-friendly title, such as for example Sync.ps1.
- Navigate to the positioning where you saved the file and operate./sync.ps1.
- When prompted, enter the ideals from the notepad. It is possible to paste these all at once so you need to copy and paste every individual item don’t.
Note: When copying and pasting within Windows, pick the PowerShell icon, Edit > then; Paste.Figure 16: Windows Order Prompt – Choose Paste to duplicate all items had a need to induce the sync
Once you paste the values in to the PowerShell window, the script sometimes appears by you input as shown in the next screenshot. Your client password and secret are secure values and so are masked for security purposes.
Following the job has were only available in PowerShell, two text messages are displayed. One indicating that synchronization is beginning and a following information when synchronization has finished. Both are demonstrated in the next figure.
See the synchronization standing and logs
To verify that the operating job ran successfully, you can examine the completed period from the Azure portal. It is possible to verify the proper time the script ran by viewing the completion time together with the current status.
To view the position and logs
- From the menus, choose Azure Energetic Directory.
- Choose Enterprise applications and choose the AWS App.
- From the still left navigation menus, choose Provisioning and choose Look at provisioning information. This shows the last period the sync completed.
In this article, I demonstrate ways to work with a PowerShell script to trigger the SCIM endpoint to on-demand synchronize Azure AD with AWS Single Sign-On. You can get the program code in this GitHub repository and utilize it to synchronize user and team changes on demand.
For those who have feedback concerning this post, submit remarks in the Comments section below.